Getting the rights right for DLNA

Sven-A · May 6, 2019, 7:23am

I installed minidlna on my (otherwise unmodified) NextcloudPi in order to access movies and music from different media players throughout my house.

In my own NC directory there are folders for Music and one for Movies:

root@NCP:/media/USBdisk/ncdata/sven/files# ls -l
drwxr-xr-x 1 www-data www-data    Nov 10 14:19 Movies/
drwxr-xr-x 1 www-data www-data    Nov 10 14:20 Music/

So when installing minidlna a user as well as a group by that very name are created. But the user minidlna can not access those directories for scanning and serving out it’s contents. So I had to add it tho the group www-data, which worked. But this will give him potential access to the whole cloud and every DLNA-client in my network would be able to access the directories I set in minidlna.conf. Of course that is the whole point of DLNA and okay for movies and music, but a tiny mistake in this single configuration file would punch a big hole into the security of my whole cloud.

Am I wrong with my fear or is there a better solution for this?

gas85 · May 6, 2019, 9:39am

I did it differently. I create a folder outside of NC and own it by miniDLNA user with chmod 666 or 777 (this folder is also local netweork Samba Folder). Then just added it to NC as “External storage” local Folder. Thats it, just be aware to added cronjob to rescan it periodically: https://docs.nextcloud.com/server/15/admin_manual/configuration_files/external_storage_configuration_gui.html#adding-files-to-external-storages

I used this script for me, to rescan only external storages:

github.com

GAS85/nextcloud_scripts/blob/master/nextcloud-file-sync.sh

#!/bin/bash

# By Georgiy Sitnikov.
#
# Will do external ONLY shares rescan for nextcloud and put execution information in NC log.
# If you would like to perform WHOLE nextcloud rescan, please add --all to command, e.g.:
# ./nextcloud-file-sync.sh --all
#
# AS-IS without any warranty

# Adjust to your NC installation
	# Your NC OCC Command path
COMMAND=/var/www/nextcloud/occ
	# Your NC log file path
LOGFILE=/var/www/nextcloud/data/nextcloud.log
	# Your log file path for other output if needed
CRONLOGFILE=/var/log/next-cron.log
	# If you want to perform cache cleanup, please change CACHE value to 1
CACHE=0
	# Your PHP location

This file has been truncated. show original

PVince81 · December 15, 2020, 8:24am

Another approach that works is to mount --bind the folder from “$nextcloud_datadir/vincent/files/minidlna/” to “/var/lib/minidlna/collections” (or whereever you have configured the collections).

Since the files inside the data directory are already rwxr-xr-x, “other” users are able to access without having to add them to a group.

gas85 · December 15, 2020, 8:49am

Actually not, usual file in data folder have -rw-r--r-- for files and drwxr-xr-x for directories, so not sure if minidlna will live with it.
Also if minidlna has an access to mount via bind, then it could read your files also directly without it.
If you search in forum for a Strong permissions, then you will see that people that apply it will not be able to share directories with minidlna/plex directly.

PVince81 · December 15, 2020, 10:19am

The mentioned perms work for me. Since perms are given for “others” then its can read them at less and enter the folders.

However, I have the “entrance door” locked up: the data directory itself is locked with drwxrwx--- so minidlna couldn’t enter there, but the bind mount provides a “bridge” to access specific subdirs.